this piece was originally written for the Orange Business Live blog
On November 15, I was invited with a group of journalist to a press tour in the Silicon Valley (a sequel to our June 2010 press tour in the Valley). Our first presentation took place in Sunnyvale, Calif. at the main office of Zscaler, a ground-breaking cloud security provider, which is also a partner of Orange Business Services.
The landscape has evolved
The security landscape has changed dramatically over the past decade. Whereas most security threats (apart from social engineering) used to come from outside devices like floppy disks or the more recent usb keys, the vast majority of threats are now directly coming from the Internet. This has forced enterprises to equip themselves with a flurry of protection devices and software which have, over the years, generated staggering complexity; and now, this complexity is increasingly getting out of hand. Traffic and policy management have become so important that the very dissemination of such rules and policies are a major pain-point for CIOs, not to mention the fact that simple techniques such as url filtering for instance are not always proving very effective. Besides, traditional security measures generate humongous log files. Something had to be done, mostly in that age of cloud computing, in which all clients are now seeking to rent their IT instead of buying it. Zscaler’s approach is therefore not to compete in the same market as traditional players, but to redefine the game plan by providing security in the cloud.
The Zscaler blog
The company is security savvy and dedicated to the Web community. To that intent Zscaler have developed a R&D blog available at http://research.zscaler.com: the blog is packed with information about Web security and you are mostly advised to download their own blacksheep firefox plug-in, a security device which will protect your device from the firesheep wifi sniffing plug-in so as to avoid that your facebook details be stolen by malicious people.
What will be the future for Zscaler? Will the company sell itself to a bigger company? Zscaler is getting so many calls from VCs throughout the week that it would be an option if its CEO didn’t think that this isn’t one of his objectives. Zscaler is now performing so well that they think they are in a position “to build the salesforce.com of Internet Security”.
So far, the security market is a $1.2bn market dominated by a few players and then there are small players in the background. But the market is growing 30% year on year and Zscaler’s CEO think that it is still new and that “noone had ever done it properly so far”. This is why Zscaler thinks it can be a major player in that market by disrupting it and changing the ball game.
Below is a transcript of the presentation as it was delivered on November 15 in Sunnyvale, Calif. (the presentation was delivered by Shrey Bhatia, Zscaler’s head of worldwide field management and its CEO, Jay Chaudhry)
overview of Zscaler and its products
- largest standalone cloud security company protecting 800 companies in 140 countries, millions of users
- manage a cloud deployed across 40+ data centres globally
- r&d over 3 continents and own 30 patents on cloud security technologies
- with offices in 15 countries, US, Europe and APA
- positioned as the “most visionary” company by Gartner
- growing revenue by 50%
- clients include LVMH, Allianz, VW, Coca Cola, Wipro etc.
- “anyone who uses the Internet is a potential client of ours”
- in France, there are already many clients (see slide)already, and Orange Business Services is a partner of Zscaler’s (some of the French clients quoted on that slide were closed with Orange Business Services)
market overview: examples of how security is evolving on the Internet
- Web (http protocol) has become main attack vector
- over 80% of threats coming from the Web from 5% in 2000
- It’s no longer USB disks or floppy disks
- 85% of all traffic coming in and out of all companies (all types, small or large) is Web-based, this is why threats are coming from there too
Challenges facing the world in terms of Internet security
- all content is active, live with Flash and Java, and this is what is making security threats more challenging
- filtering: most companies want to control where employees are going. But the old list-based url is not working anymore. Facebook, wikipedia have evolving urls and it’s changing all the time. Besides blocking Facebook is an issue if the same company is launching multi million dollar advertising campaigns on Facebook!
- Web 1.0 sites were read-only whereas Web 2.0 sites are now a cause for iinformation leaks: webmail, blogs, IM …
- bandwidth is a real issue. Video is 20 times more exacting than text and companies are very concerned about the amount of bandwidth which is being used by video
- Road warriers are new challenge too: people go to salesforce.com and so many online applications that the Web has become so critical. So it is of paramount importance to protect the road warriers
- the last and one of the biggest challenge is cost and complexity: CEOs impose CIOs to do 20% more with a flat or even decreased budget
What Zscaler does and how they do it
- Zscaler sits between the user and the Internet anywhere in the world, whereever they are, and whatever device they use. User goes to the Zscaler cloud, and Zscaler is the trusted third party and is termiinating the transaction to the Internet.
- This is done with no hardware, no software, no plug-in, nothing!
- This is why very international companies choose Zscaler.
- How is it done?
- in the browser, one has proxy settings, and one has to change the proxy setting, it’s all you have to do and it can be done remotely
- can be done at device or office level, from the firewall or router
- Zscaler’s cloud is the most global cloud in the industry
- The “policies” are kept in the cloud and are moved around as companies and users are moving by moving the policies to the closest data centre. This is what is called “shadow policies”
- Latency is important, and this is why data centres have to be as close to users as possible
- In the past 6-7 years, companies have deployed MPLS networks: the biggest benefit is that bandwidth is divided by 2 and that latency is also improved. But network topologies are changing slowly because enterprises have spent a lot of time putting all their network topology together and they are naturally reluctant to throw everything away now. Hence it’s best to let them be more comfident with the service before they change their network infrastructure and re-engineer it.
- for all French customers, Zscaler is managing tens of thousands of users with just two boxes, and this is a lot easier and more cost effective than managing the complexity of myriad CPE’s (Customer Premises Equipment)
- Will it slow things down?
- Traditional security devices are firewall devices which weren’t designed to scale
- Zscaler had to build new boxes which are very scalable
- Standard costs to open 1 data centre is $1m, whereas Zscaler is able to open one for a fraction of that, with 2 boxes and can serve half a million users for that price
- nanolog technology is a special technology which compresses logs and speeds up transactions, it has been developed by Zscaler (traditional logs for an average large company are going to generate 50-100GB of data every day. none of that information can be searched or used)
- If everything is centralised how do minimise threats?
- the goal of a cracker is to get to the user’s machine an monetise information or turn it into a bot
- Zscaler is just a conduit, hence it’s just a bridge, and there is not much value in accessing Zscaler’s boxes
- Zscaler spends an awful lot of time and R&D to protect their servers and make the service safe
- 4 types of Services come on top of that infrastructure:
- Web security: Antivirus and Advanced threats browser contro, E-mail security
- Web control: url filtering, web 2.0, limiting bandwidth (i.e. ensuring that YouTube for instance will not take up more than 30% of the total bandwidth)
- Web DLP (data leaks/loss prevention)
- Web analytics
- save money and time, best security and policy management, real time reporting, easy to deploy data loss protection mechanism, near-zero latency (high performance proxy and breadth of cloud), integrated email & web
- What Zscaler isn’t: Zscaler isn’t playing in the Wan optimisation space